RE: IDS, IPS or just rubbish

From: James Cutter (JamesCutter_at_thedoghousemail.com)
Date: 06/25/03

  • Next message: Golomb, Gary: "RE: IDS, IPS or just rubbish?"
    Date: Wed, 25 Jun 2003 03:18:45 -0700 (PDT)
    To: focus-ids@securityfocus.com
    
    

    I was in one of their partner events as well. It looks to me like you misunderstood their point.

    They do not have many signatures. In fact, they do not claim to be a signature based company. They do claim to provide protection by understanding the protocols and applications.
    How many firewalls you know that understand HTTP1.1 (really understand, including the ability to catch different http requests on the same connection, chunks, retransmissions etc) How many firewalls are able to protect in day zero against double http header attacks, webDAV attacks etc.

    Even with the signatures that they do have, they perform aggressive matching against different encoding and regular expression matching. Adding the fact that they do IP fragments checks for all IP traffic (and not only port 80) and reassemble TCP streams - i think that they can be called intelligent. (and according to their claims, most of the work is done in the kernel, with expected of 3% performance lost. Even if I don’t take this as they claim, it is better than any system I know. Believe me, I know. )

    I do think that they need to improve their configuration and documentation. Right now, fools can not use their systems (without using us, the system integrators). It is too difficult. One should define resources set different properties and so on.
    For the first time in several years, i think that my customers understand why checkpoint claims to be superior. All I need to do is demonstrate HTTP 1.1 penetration with other firewall systems.

    If I understand their vision, they are going further with non-signature policy

    BTW, my customers are using their SQL Inspect fixes. They were able to operate while the worm was hitting them. How many other vendors offer this ?

    I recommend my customers to keep using IDS. I think that there is a need for event correlation technology . again, checkpoint is not a signature company.

    Jack Ryan said:
    I went to the local product launch of Checkpoint FW-1 Next Generation *Artificial Intelligence* the other day and was interested to see that this technology is nothing more than a signature-based IDS that can pass stuff on to the firewall. Funnily enough they call it "Active Defense" which is the same name NAI used to describe Cybercop talking to Gauntlet before they dropped/sold the products.

    Checkpoint are pushing this patch to NG FP3 FW-1 as an all-in-one solution whereby you wouldn't need an IDS as well as a firewall. In Hong Kong they have over 70% of the firewall market - their market penetration is similar worldwide - in order to gain competitive advantage they are trying to crush the IDS/IPS market. Maybe they've been partying with Gartner.

    What's more they are lying through their teeth. I sat there and listened to them pull out terms like zero-day and protocol anomaly detection which is simply them jumping on the bandwagon of quality solutions. It is signature-based, and though Checkpoint will apparently notify you of any new threats you will still need to edit a text file so that the firewall knows what they are.

    Their big push is that they are doing application-layer stuff now which anyone who knows firewalls will know is what Sidewinder, Gauntlet and Axent (Symantec) have been doing for years. FW-1 is a stateful packet filter - and probably the best there is in terms of enterprise management. However they are not analysing traffic at the application layer asides from a handful of signatures. They were saying that FW-1 NG AI is the only gateway solution of its kind. Symantec have had signature-based IDS combined with the *real* layer 7 Raptor firewall in their SGS box for ages. (performance aside.........)

    They kept telling me about SQL Slammer and how this solution will stop it. What utter crap. Can anyone on this list tell me of a signature-based IDS which picked Slammer up in the 2-odd hours it needed to propogate?

    There has been a lot of discussion here about the future of IDS - I think I've seen Checkpoint's vision....... Treat us all like fools.

    Zero-day detection my ****.

    _____________________________________________________________
    Get your FREE TheDoghouseMail email address at http://www.thedoghousemail.com

    _____________________________________________________________
    Select your own custom email address for FREE! Get you@yourchoice.com, No Ads, 6MB, IMAP, POP, SMTP & more! http://www.everyone.net/selectmail?campaign=tag

    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------

    _____________________________________________________________
    Get your FREE TheDoghouseMail email address at http://www.thedoghousemail.com

    _____________________________________________________________
    Select your own custom email address for FREE! Get you@yourchoice.com, No Ads, 6MB, IMAP, POP, SMTP & more! http://www.everyone.net/selectmail?campaign=tag

    -------------------------------------------------------------------------------
    Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas, the
    world's premier technical IT security event! 10 tracks, 15 training sessions,
    1,800 delegates from 30 nations including all of the top experts, from CSO's to
    "underground" security specialists. See for yourself what the buzz is about!
    Early-bird registration ends July 3. This event will sell out. www.blackhat.com
    -------------------------------------------------------------------------------


  • Next message: Golomb, Gary: "RE: IDS, IPS or just rubbish?"

    Relevant Pages

    • Optimize NFR.Part 1-MSSQL Hello Buffer Overflow
      ... this signature can produce false positives, ... It goes unmentioned in the paper that NFR customers armed with this same ... Rapid Response were among the very first to detect the Slammer outbreak. ... states that "in order to reduce the cost,many manufacturer of IDS ...
      (Focus-IDS)
    • RE: Strange domain-udp signature
      ... I've done some more digging and this particular signature is ... from a dns global load balancer designed and used by speedera.com. ... world's premier technical IT security event! ...
      (Incidents)
    • Re: Automated IDS Signature Generator?
      ... >signature based on a recording of a monitored exploit attempt? ... 1....what part of the whole network traffic session is indeed malicious ... ...what part of the malicious traffic session to use for the ... world's premier technical IT security event! ...
      (Focus-IDS)
    • Re: Automated IDS Signature Generator?
      ... > signature based on a recording of a monitored exploit attempt? ... It would be quite useless. ... signature which catches most forms of the attack. ... world's premier technical IT security event! ...
      (Focus-IDS)
    • Re: Zone Alarm versus Sygate
      ... Not only is BlackIce looking at ... You see an attack will not ... IDS engine to be extremely elementary. ... So Sygate as well as BlackIce use a Signature Analysis IDS engine ...
      (comp.security.firewalls)